Skip to content

Hide Navigation Hide TOC

Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf)

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. (Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Pteranodon (d5138738-846e-4466-830c-cd2bb6ad09cf) Malpedia Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 2
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware 2
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 2
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern 2
Aqua Blizzard (fc77a775-d06f-5efc-a6fa-0b2af01902a7) Microsoft Activity Group actor Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 3
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3